Method and arrangement for securing a man-machine dialogue

ABSTRACT

The invention relates to a method and arrangement for securing a man-machine dialogue between a user and at least one application, which may be executed on a terminal, whereby a communication between user and application is achieved by means of input channels and output channels on the terminal. According to the invention, the user can be given the security that he is communicating with only one particular application, whereby the input channels and/or the output channels of the terminal, together or separately, may be optionally switched by means of a switching device such that only the particular application is available.

BACKGROUND

The invention relates to a process and arrangement for securing aman-machine dialogue according to the generic concept of the independentpatent claims.

A man-machine dialogue of this type is performed in digital signatureprocedures, for example. Digital signatures have an applicationeverywhere that the authenticity and integrity of electronic documentsare involved, for example in the areas of electronic commerce, e.g.e-commerce, banking, brokerage, etc. or in the area of public law, e.g.notarial authentication.

In order to perform a digital signature procedure, a suitable end-deviceis required, e.g. a special terminal or a personal computer, with whicha dialogue is possible between a user and at least one application thatcan be performed on a terminal, whereby a communication between user andapplication is done via input channels and output channels of theterminal. Also, the modem terminals used in mobile telephone serviceessentially meet all of the prerequisites for digital signatureprocedures. They are equipped with alphanumeric display and keypads andimplicitly have a chip card reader.

In order to perform a digital signature, the document to be signed issent via a suitable transmission path, e.g. in mobile telephone servicevia the mobile telephone network, from a requesting unit, e.g. a server,to a suitable terminal and/or to a signing device in the terminal or onthe chip card. The terminal and/or the signing device in the terminal oron the chip card bring the document to be signed onto the display of theterminal so that it is displayed and prompt the user to initiate thesigning operation by the keypad. For authentification, the signingdevice requires the user to enter a signature-PIN on the keypad. Afterthe input of the correct signature-PIN, the signing device carries outthe signature and sends it with the document back to thesignature-requesting unit. It is also conceivable that the signingdevice (and/or the terminal) ensures the authenticity of the user bybiometric processes, e.g. finger prints, speech input, etc.

Since the signature-dialogue, i.e. the display of the document to besigned, the prompting for confirmation, prompting for input of thesignature-PIN is imbedded in a superordinate application-specificdialogue, which comes from and/or is controlled by another source suchas a WML-deck, i.e. not the signing device, and since in addition thereare several sources for outputting on the display, e.g. otherapplications running in parallel, user control of the terminal, etc.,the user can not be sure whether the display of the document to besigned and the inquiry for the signature-PIN are authentic, i.e.actually come from the signing device.

Basically, the user can not recognize from whom the data shown on thedisplay of the terminal comes. The applications, in particular for WAP(WML-decks), are usually anonymous, i.e. are not checked and certifiedby the network operator or another authority. Thus, for example, it ispossible for foreign applications to put the signature-dialogue afterthe signing device, in order to get to the user's signature-PIN.

The documents WO 98/19243 A2 and U.S. Pat. No. 5,822,436 A discloseprocesses and arrangements for handling security-critical procedures indata processing systems. In addition to the usual elements of a dataprocessing system, such as processor and input/output units, thearrangements described contain special security devices. Thus, it isprovided in WO 98/19243 A2 that the security device assumes control overthe input and output units during the performance of allsecurity-related procedures. In the patent U.S. Pat. No. 5,822,435 A,the security device is connected between the processor and the input andoutput units and provides for an encoding of the transmitted data. Inthe known processes and devices, however, it has not been provided thatthe input channels and/or output channels are allocated exclusively toone application at a time.

SUMMARY

The purpose of the invention is to provide a process and arrangement forsecuring a man-machine dialogue that makes it possible for the user tosafely identify and control the source of the display information and/orto be able to control the passing on of input information in accordancewith specifications.

This purpose is achieved by the characteristics of the independentpatent claims.

The invention is based on that fact that the input channels and/or theoutput channels of the terminal, together or separately, can be switchedselectively using a switching device in such a way that they areavailable exclusively to one specific application.

In this way, it can be ensured according to the invention, that

-   1) the tasks of a terminal, i.e. the data and text shown on the    display    -   come from a source that is known to and trusted by the user        and/or    -   the information source is shown to the user reliably by the        terminal and/or    -   the user can identify the source himself and        2) the entries on the terminal (e.g. for authentification of the        user with regard to a signing device, e.g. using signature-PIN        (keypad), finger print (sensor), speech input (speech analysis        module)    -   are only passed on to a trusted destination that can be        specified by the user and/or    -   are only passed on to a destination that is reliably shown by        the terminal

It is also possible by the invention to ensure that a user has adialogue, e.g. a signature-dialogue, exclusively with one specificapplication, e.g. a signing device. In other words, the user can becertain that the data shown on the display comes from the signing deviceand that his entries are passed on exclusively to the signing device.

Advantageous embodiments and additional constructions of the inventionare given in the dependent patent claims.

According to the invention it is possible that different applicationscan each be exclusively coupled alternatively to the input/outputchannels. In other words, the user can selectively exactly allocate theinput/output channels of the terminal exclusively to one application ata time.

The switching over of the input/output channels to an application can bedone mechanically, electronically or using software. The switchingdevice contains for this purpose preferably a mechanical, electronic orsoftware-controlled switch.

In a preferred embodiment form, the switching over to a specificapplication is activated by a defined button on the terminal or an inputcode. For example, a special button can be allocated to each applicationthat can be selected by the user.

In the case of the use of a button, the switching over is done by theuser. The switching can also be initiated automatically, however, by theterminal and by special signals or commands.

In a preferred embodiment of the invention, the switching over to aspecific application is shown to the user in an unambiguous manner by anoptical and/or acoustic signal. If a choice can be made to switchbetween several applications, then a separate optical or acoustic signalwill be preferably assigned to each application.

The associated application can be started at the same time as theswitching over of the input/output channels.

To additionally increase the security for the user, it is provided thatthe source of the data of the output channel can be identified by asecret code agreed between the source and the user. Each time the datais displayed on the display of the terminal, the secret code issimultaneously displayed for authentification of the source.

The applications that can be executed can be contained in a chip cardthat can be used in the terminal or in the terminal itself.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following, the invention is explained in greater detail by anembodiment example using a drawing. Additional characteristics,advantages and applications of the invention can be ascertained from thedrawing and its description.

DETAILED DESCRIPTION

FIG. 1 shows schematically a terminal 1 for performing a digitalsignature dialogue as one of several available applications. Theterminal 1 contains an input and output part 2 with a keypad 4 and adisplay 3 and a function and application part 7 which contains severalapplications 8, 9, 10. Furthermore, the terminal I contains a switchingdevice 11, by which a choice can be made to switch the input and outputunits 3, 4 exclusively to one of the applications 8, 9, 10. The inputand output part 2 and the function and application part 7 are usuallyhoused in a common housing (not shown).

In the following, the arrangement and the process are explained by theexample of the digital signature, whereby the signing device 10 insidethe terminal 1 is both source and destination of the data of thesignature dialogue. The signing device 10 can also be contained on achip card (not shown) to be used with the terminal.

The signature dialogue between the user of the terminal 1 and thesigning device 10 can consist of the following steps:

-   At first, the document to be signed, which is transmitted from a    requesting external location, is displayed to the user on the    display 3 of the terminal 1 in some manner, either directly as text    or as a reference to a text or as an icon and/or image.-   Then, the user is prompted to confirm or reject the text.-   For this purpose, the user is prompted to authenticate himself to    the signing device 10, e.g. by entering a signature PIN by the    keypad 4. After that, the signing device 10 checks the input    signature PIN, signs the document, if necessary saves the signature    and initiates the sending of the signature to the requesting    location.-   It is possible to record the signature dialogue in the signing    device 10 or in the terminal 1, and to save the documents and    signatures for possible later verification procedures.

According to the invention, the input/output channels, i.e. the keypad 4and the display 3 of the terminal 1 of the signing device 10 are madeavailable exclusively in that the directly switched connection (signingswitch) is made between input/output channels 3, 4 and the signingdevice 10, whereby the switch position can be recognized by the user.For this purpose, the terminal contains a switching device 11, whichprovides that only one application, here the signing device 10, cancommunicate exclusively with the user via the input/output channels 3, 4of the terminal 1.

In a preferred embodiment form, the activation of the switch-over intothe signing position is achieved by the input of a keypad code, and inthe simplest case, by the activation of a special signing button 5(signature button) on the terminal 1, whereby the activation of thebutton 5 controls the switching device 11. After the activation of thesignature button 5, keypad 4 and display 3 of the terminal 1 areallocated fixed and exclusively to the signing device 10, i.e. eachinput goes via the keypad 4 to the signing device 10 and each display onthe display 3 comes from the signing device IO. This is shown in thedrawing by the assignment arrow.

Instead of a manual switch-over, the switch to the signing position canalso be initiated automatically by the terminal 1.

For the technical implementation of the switch-over on the terminal 1,different embodiment forms are possible. In the simplest case, theswitching device 11 is a switch, which for example, is connectedgalvanically, electronically, or via software. In each case, the usermust be safe in correspondingly implementing the switch-over that isvisible to him in the terminal 1.

An additional component of the invention is that the exclusiveallocation of the input/output channels, i.e. of the keypad 4 anddisplay 3 to the signing device 10, is shown to the user opticallyand/or acoustically by a special signature signal 12 used exclusivelyfor this allocation. This signature signal is in the simplest case theswitch position of a mechanical throw-over switch. It could also be in afunctional way an illumination or a blinking of the signature button ora display element of the display 3.

An additional component of the invention is the possibility for the userto identify the source of the data of the output channel in such amanner that between the source and the user a secret code signal 6 isagreed, which, for example, appears displayed each time on the display3. An agreed secret code between the user and signing device can, forexample, be the sequence of characters 1F7D. During the prompting forthe input of the signature-PIN, the following appears on the display:

“Please confirm the signing procedure by entering your signature-PIN.Auth: 1F7D

The user recognizes by the authentification code 1F7D that the datacomes from the signing device.

DRAWING KEY

-   1 Terminal-   2 Input/output part-   3 Display-   4 Keypad-   5 Signature button-   6 Code signal-   7 Function/application part-   8 First application-   9 Second application-   10 Signing device (third application)-   11 Switching device-   12 Signature signal

1. A process for securing a man-machine dialog between a human user anda digital signature device application, comprising: selecting thedigital signature device application from a plurality of applications ona terminal which may be executed on the terminal, whereby communicationbetween the human user and the digital signature device application isachieved by means of at least one input channel on the terminal throughwhich the user provides input communication to the terminal and at leastone output channel on the terminal through which output communication isprovided to the user, wherein the output channel comprises a display;selectively switching the input channel and/or the output channel of theterminal together or separately such that one or both channels are onlyavailable to the digital signature device application exclusively andthe input/output channels are allocated exclusively to only said digitalsignature device application at a time, wherein the digital signaturedevice application is itself present in a chip card that can be usedwith the terminal or is in the terminal itself; wherein the digitalsignature device application comprises the following steps: a documentto be signed is sent from a signature requesting location to theterminal and the document is displayed on the display, the user entersdata to verify the authenticity of the user, the digital signaturedevice application checks the authenticity of the verifying data, andthe document is signed and then sent back to the requesting location. 2.The process according to claim 1, wherein the plurality of applicationscan each be alternatively exclusively coupled to the input/outputchannels.
 3. The process according to claim 1, wherein the switching isdone mechanically, electronically, or using software.
 4. The processaccording to claim 1, wherein the switching is activated by a definedbutton on the terminal or an input code.
 5. The process according toclaim 1, wherein the switching is done manually by the user orautomatically by the terminal.
 6. The process according to claim 1,wherein the switching to the one selected application is displayed tothe user in an unambiguous manner by an optical and/or acoustic signal.7. The process according to claim 1, wherein the one selectedapplication is started simultaneously with the switching.
 8. The methodof claim 1, wherein the input channel comprises a keyboard.
 9. Themethod of claim 1, wherein the data entered to authenticate is a PIN.10. The method of claim 1, wherein the data entered to authenticate isbiometric data inputed by the user.
 11. A process for securing aman-machine dialog between a human user and one application, comprising:selecting one application from a plurality of applications on a terminalwhich may be executed on the terminal, whereby communication between thehuman user and the one selected application is achieved by means of atleast one input channel on the terminal through which the user providesinput communication to the terminal and at least one output channel onthe terminal through which output communication is provided to the user,wherein the output channel comprises a display; selectively switchingthe input channel and/or the output channel of the terminal together orseparately such that one or both channels are only available to the oneselected application exclusively and the input/output channels areallocated exclusively to only said one selected application at a time,wherein the source of data of the output channel is identified by asecret code that has been agreed to between a source and the user andthe secret code appears on the display; wherein the selected applicationis a digital signature device application comprising the followingsteps: a document to be signed is sent from a signature requestinglocation to the terminal and the document is displayed on the display,the user enters data to verify the authenticity of the user, the digitalsignature device application checks the authenticity of the verifyingdata, and the document is signed and then sent back to the requestinglocation.
 12. The process according to claim 11, wherein the secret codeappears on a display every time the data of the source is displayed. 13.An arrangement for securing a man-machine dialog, comprising: a terminalwith at least one input channel through which a human user providesinput communication to the terminal and at lest one output channelcomprising a display through which output communication is provided tothe user and a plurality of applications on the terminal that can beexecuted on the terminal and that communicate, for the dialog with theuser, by means of the input channel and output channel; the terminalincluding a switching device by which the input channel and/or theoutput channel of the terminal, together or separately, may beselectively switched such that they are only available exclusively toone application selected from the plurality of applications, wherein theinput/output channels are allocated exclusively to only the one selectedapplication at a time, and wherein the one selected application is adigital signature device; wherein the digital signature device includesa program that receives a document to be signed from a signaturerequesting location, displays the document on the display, receives dataentered by the user to verify the authenticity of the user, checks theauthenticity of the verifying data, signs the documents and sends thedocument to the requesting location, wherein the digital signaturedevice is contained in the terminal or a chip card that can be used withthe terminal.
 14. The arrangement according to claim 13, wherein theswitching device comprises a mechanical, electronic, orsoftware-controlled switch.
 15. The arrangement according to claim 13,wherein the input channels and output channels are comprised of a keypadand a display of the terminal.